OWASP

• Top Ten (opens in a new tab)

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring

Cross-Site Scripting (XSS)

CSRF

• Symptom

  A CSRF attack works because browser requests automatically include all cookies including session cookies. Therefore, if the user is authenticated to the site, the site cannot distinguish between legitimate authorized requests and forged authenticated requests.

• Treatment

• CSRF relies on cookies to work. If the service doesn't use cookies, CSRF protection can be turned off.

• Resources

  • Baeldung - CSRF With Stateless REST API (opens in a new tab)
  • Baeldung - A Guide to CSRF Protection in Spring Security (opens in a new tab)
  • OWASP - Cross Site Request Forgery (CSRF) (opens in a new tab)
  • OWASP - Cross-Site Request Forgery Prevention Cheat Sheet (opens in a new tab)

SSRF

Session Management

URL Rewriting

• Pros

  • Always work regardless of cookies settings

• Cons

  • not secure, as session ID is exposed in URL
  • Only works for textual information

Cookies

Java

• Oracle - Secure Coding Guidelines for Java SE (opens in a new tab)
• SEI CERT Oracle Coding Standard for Java (opens in a new tab)
• OWASP - OWASP Secure Coding Practices-Quick Reference Guide (opens in a new tab)

HTTP Authentication

HTTP Basic

• A request contains a header field in the form of Authorization: Basic <credentials>, where credentials is the Base64 encoding of ID and password joined by a single colon :

  1. Get encoded credentials

     CREDENTIALS=$(echo -n <ID>:<Password> | base64)

  2. Include in HTTP request with Authorization header:

     Authorization: Basic ${CREDENTIALS}

HTTP Digest Authentication

• Similar to HTTP Basic, but use MD5 instead of Base64.

Web

Permissions API

Content Security Policy (CSP)

• Key points

  • Prevents XSS attacks by whitelisting the sources of content that are allowed to be loaded on a page

• Implementations

  • Spring Security

    • Security HTTP Response Headers :: Spring Security - Content Security Policy (CSP) (opens in a new tab)

HTTP Strict Transport Security (HSTS)

• Key points

  • Enforce the use of HTTPS to protect against Man-in-the-Middle attacks

    e.g. Strict-Transport-Security: max-age=3600 will tell the browser that for the next hour (3600 seconds) it should not interact with the applications with insecure protocols.

    When a user tries to access an application secured by HSTS through HTTP, the browser will simply refuse to go ahead, automatically converting http:// URLs to https://.

  • Preloading domains that enforce HSTS in the browser to ensure the first interaction is secure

    Browsers such as Chrome use a database to know if a website enforces HSTS. This database is called the HSTS Preload List. This is to ensure even the first interaction between the browser and the website is secure.

    • HSTS Preload List Submission (opens in a new tab)

• Implementation

  • Spring Security

    • Security HTTP Response Headers :: Spring Security - HTTP Strict Transport Security (HSTS) (opens in a new tab)

• Resources

  HTTP Strict Transport Security - OWASP Cheat Sheet Series (opens in a new tab)

HTTP Public Key Pinning (HPKP), Deprecated

• Key points

  • Deprecated, with all major browsers support removed due to complex implementation
  • Declare that a website's HTTPS certificate should only be treated as valid if the public key is contained in a list specified over HTTP to prevent MITM attacks that use valid CA-issued certificates.
  • Prevents Man-in-the-Middle attacks by ensuring the browser only accepts a specific certificate for a domain
  • Ensure trust on the first interaction

X-Frame-Options

• Key points

  • Replaced by Content-Security-Policy Level 2 frame-ancestors directive

Feature Policy

• Key points

  • Defines a mechanism that allows developers to selectively enable and disable use of various browser features and APIs.
  • Replaced by Permissions Policy and Document Policy

Referrer Policy

• Key points

  • Control the referrer header sent by the browser to the server

    • no-referrer - No referrer information is sent
    • no-referrer-when-downgrade - The referrer is sent only when the protocol security level stays the same (HTTP -> HTTP, HTTPS -> HTTPS)
    • same-origin - The referrer is sent only when the referring page is from the same origin as the request
    • origin - The referrer is sent only when the referring page is from the same origin as the request, without its path
    • strict-origin - The referrer is sent only when the referring page is from the same origin as the request, without its query string
    • origin-when-cross-origin - The referrer is sent only when the referring page is from the same origin as the request, without its path, but sent in full when the referring page is from a different origin
    • strict-origin-when-cross-origin - The referrer is sent only when the referring page is from the same origin as the request, without its query string, but sent in full when the referring page is from a different origin
    • unsafe-url - The referrer is sent in full

• Resources

  • A new security header: Referrer Policy (opens in a new tab)

Web - Tools

• MDN HTTP Observatory (opens in a new tab)
• Security Headers (opens in a new tab)